PSL- "How do I..."

vhdlcohen · Posted: Mon May 10, 2004 9:24 am **Post subject:**

Are you using a default clock?
// psl default clock= (posedge clk);
// assuming in-line psl

Also, your "clock sequence clk_seq = {clk[*3];~clk};" is telling me tht you're using a Cadence formal verification tool. The "clock sequence" is Cadence specific. I used Incisive Static Verifier in our book, and it worked ok.
I did not experience this multi-edge clock issue that you are addressing.
By the way, below is the vunit taht we used in our book for the Cadence Incisive Static Verifier:

bdeadman · Posted: Mon May 10, 2004 10:09 am **Post subject:**

First, my apologies for the mistake in the code I posted on Saturday - Ben's interpretation was correct.

I have to admit I have a lot more experience of simulation than formal verification, but I don't think the semantics of PSL in the simple form we're using them here define exactly the relationship of assumed signals to clocks, just that the signal must be setup between the sampling clock edges. I'll try to enquire if any more assumptions are made.

As you probably know, you can over-ride the default clock for a single property by adding the clock to the end of the property, for example:

always { a } |=> { !c[*] ; c } @ (negedge clk1);

One way you may be able to achieve the visualization you require is to selectively include the clock into your property and to sample (assume) it on BOTH edges of the clock, for example:

always { (a&&clk1) } |=> { {(!c&&!clk1);(!c&&clk1)}[*] ; (!c&&!clk1);(c&&clk1) } @ (clk1);

As you can see, this is cumbersome, but the requirement is now that c should become true between the falling and rising edges of clk1. It still doesn't guarantee the waveform will look exactly the way you understand it, but I think that's a function of the formal model check tool.

Regards

Bernard

vhdlcohen · Posted: Mon May 10, 2004 10:59 am **Post subject:**

Some Model Checking Expectations and Rules about model checking (those are rules that are applicable in today's technology, and will change as the technology matures):
1. A first and foremost requirement for Model Checking is that designs need to be synthesizable and cycle-based.
2. Single clock designs are better supported by today's tool.
On that subject, some vendors are making good progress on handling multi-clock issues.
http://www.athdl.com/pdf/Clock_Domain_Datasheet.pdf is a paper on "Clock Domain Visualization and Analysis". Notice that from the paper, it appears to be an "analysis tool", and I have no knowledge on how the tool hndles multi-clock properties in PSL. I would not be suprised if the latest version (or the next version) handles the multi-clock assertions
Looking at http://www.safelogic.se/products/safelogicverifier.asp
Safelogic states "Supports multiple synchronous clocks.".
In any case, thw synchronous single clock case, ONE EDGE, is the best supported case.

You need to watch how multiple clocks are exressed in PSL

romi · Senior Joined: Feb 28, 2004 Posts: 88 Location: Minnesota

Thanks for the input. I am using the Cadence tool, but not it's most up to date version containing the Black Tie technology. I hesitated to mention the tool name because I didn't know if I should be mentioning specific tools on this site. But anyway...

I still get problems with the tool I'm using with the code that has been suggested. However, I may put off my investigation until I can move up to the new tool.

It seems like it may be beneficial for others to formally verify the 3 properties of the simple module below instead of me posting my examples of what is not working. Let me know what you think should work and try it if you can. Going through this exercise seems to show that formally verifying some simple properites as below in a very simple and small module takes a lot of work. Another question to consider is whether OVL could be be used with the formal tools to constrain the inputs. Seems like using OVL would make it even more difficult. And there are some things like describing the clock which don't seem possible.

vhdlcohen · Posted: Mon May 10, 2004 3:16 pm **Post subject:**

romi · Senior Joined: Feb 28, 2004 Posts: 88 Location: Minnesota

romi · Senior Joined: Feb 28, 2004 Posts: 88 Location: Minnesota

vhdlcohen · Posted: Mon May 10, 2004 3:53 pm **Post subject:**

romi · Senior Joined: Feb 28, 2004 Posts: 88 Location: Minnesota

I'll try some things and get back tomorrow. But I think in NCSIM (LDV5.1) when the assertion fails on a negedge, all the registers that are on a negedge get update to their new value before the simlation stops. So, when the values are dumped, the updated values are seen. Also, I think the waveform will display the updated values if you click on the transition of the assertion failure.

The suggestion to use a different edge than what most registers in my design clock on came from Cadence. Seems like they do the same thing and have suggested it to others.

vhdlcohen · Posted: Mon May 10, 2004 4:41 pm **Post subject:**

You are mostl likely correct about what you are saying. They also suggested the same thing to me, and I used that approach in our book in some cases. Since I was not doing any dump, it made no difference to me. However, I see your point.
Formal verification is different though!
I would like to know your results.
Thanks,
Ben
_________________
Ben Cohen http://www.systemverilog.us/
* SystemVerilog Assertions Handbook, 3rd Edition, 2013
* A Pragmatic Approach to VMM Adoption
* Using PSL/SUGAR ... 2nd Edition
* Real Chip Design and Verification
* Cmpt Design by Example
* VHDL books

bdeadman · Posted: Tue May 11, 2004 5:46 am **Post subject:**

Hi,

My comments are out of sequence, but Romi wrote

romi · Senior Joined: Feb 28, 2004 Posts: 88 Location: Minnesota

staitccheck does do vacuity checks. However, from the description and examples in the manual, it doesn't seem like it would prevent over constraining. It looks like it checks for things like:

always (signal == 1);

always (signal == 0);

My problem was that I was writing properties that, in the end, basically made the inputs never do anything. So, the internal checks never failed.

romi · Senior Joined: Feb 28, 2004 Posts: 88 Location: Minnesota

Below is the code I ran on my previous example above. I'm now using negedge everywhere.

I ran into a few problems...

The first counter example shows that deallocate goes to 1 before allocate or set. This triggered the deallocate_when_not_active assertion. How can I say that allocate needs to be the first input to go to 1?

A second counter example, which I don't quite understand, shows allocate going to 1 and setting the active register on the first negedge. Then, on the next negedge allocate AND deallocate go to 1 causing the allocate_when_active assertion to fire. It doesn't seem to be following a couple properties. Since set never goes to 1 before deallocate, the allocate_to_set property seems violated and also since allocate AND deallocate go to 1 on the same cycle, the same_time property seems to be violated. I wish I could insert an image here w/o having to store it to a http location.

I can probably take the second counter example problem up with the vendor if the results seem suspicious.

The first problem however seems like it would be a common "How do I..." problem encounter by many. Thanks.

bdeadman · Posted: Tue May 11, 2004 8:38 am **Post subject:**

The way I was looking at vacuity checks was in the context of a property like:

always { SequenceA } |=> { SequenceB };

In these circumstances, if you tighten the constraints so much that SequenceA never happens, you have vacuous satisfaction of the property. And of course if SequenceA does happen the property must be satisfied anyway, therefore vacuity is a good check constraints. I don't think it has much value in the case of a property like:

always { boolean } ;

however!

In the specific example, I'm not sure I understand the requirement. Must set, allocate and deallocate be active for one, and only one cycle, or can they be many cycles in duration?

My guess is we painted too general a picture when we were talking about the three properties. If they should be active for just one cycle I think you need properties of the form:

always { a } |=> {(!a && !b && !c)[*] ; (!a && b && !c) } !

This says that once 'allocate' is true, there can be any number of cycles where there is no set, allocate or deallocate, until there is eventually a cycle where set is true but not allocate or deallocate are not.

Is this the correct interpretation? If so, you'll need to change the other two properties in a similar way.

I also wonder if the under this scenario the 'never' property is required? Once the allocate, set, deallocate cycle starts I don't think there is any way you can get two signals active at the same time, though I haven't had enough coffee yet to figure out what happens at the beginning! Do you have a reset signal? Perhaps that's the key to getting operations to start correctly?

Regards

Bernard

romi · Senior Joined: Feb 28, 2004 Posts: 88 Location: Minnesota

Your example makes a lot of sense. I changed my code to use the form you mentioned and I commented out the same_time property. However, I get the exact same counter examples!

The first one is obviously still there because it still hasn't be addressed. Nothing is preventing b or c (set or deallocate in my example) from going to 1 before a (allocate).

The second one where the sequence goes a on the first negedge and a AND c on the next negedge is still a mystery.